commit | 4ed6cfb83b6f3c28d21af1eaa59b821d723366f5 | [log] [tgz] |
---|---|---|
author | Ted Wang <tedwang@google.com> | Mon Aug 01 15:15:11 2022 +0800 |
committer | Android Build Coastguard Worker <android-build-coastguard-worker@google.com> | Thu Aug 18 02:23:27 2022 +0000 |
tree | e2d68658a2a7d8b006c971928b697f3e78caa977 | |
parent | ca63e26d2cc4e3a807a617defca088f606843382 [diff] |
Add length check when copy AVDTP packet Bug: 232023771 Test: make Tag: #security Ignore-AOSP-First: Security Change-Id: I68dd78c747eeafee5190dc56d7c71e9eeed08a5b Merged-In: I68dd78c747eeafee5190dc56d7c71e9eeed08a5b (cherry picked from commit ed9a843cf147bbfa1a80f2507769014958940eb4) Merged-In: I68dd78c747eeafee5190dc56d7c71e9eeed08a5b
diff --git a/system/stack/avdt/avdt_msg.cc b/system/stack/avdt/avdt_msg.cc index a3e71c8..7a3ed28 100644 --- a/system/stack/avdt/avdt_msg.cc +++ b/system/stack/avdt/avdt_msg.cc
@@ -1252,6 +1252,10 @@ * would have allocated smaller buffer. */ p_ccb->p_rx_msg = (BT_HDR*)osi_malloc(BT_DEFAULT_BUFFER_SIZE); + if (sizeof(BT_HDR) + p_buf->offset + p_buf->len > BT_DEFAULT_BUFFER_SIZE) { + android_errorWriteLog(0x534e4554, "232023771"); + return NULL; + } memcpy(p_ccb->p_rx_msg, p_buf, sizeof(BT_HDR) + p_buf->offset + p_buf->len); /* Free original buffer */